ISACA. CISA Practice Questions 2009 All
Подождите немного. Документ загружается.
lesser importance.
351
、
When using a universal storage bus (USB) flash drive to transport
confidential corporate data to an offsite location, an effective control
would be to:
A
、
carry the flash drive in a portable safe.
B
、
assure management that you will not lose the flash drive.
C
、
request that management deliver the flash drive by courier.
D
、
encrypt the folder containing the data with a strong key.
ANSWER:D
NOTE:Encryption, with a strong key, is the most secure method for
protecting the information on the flash drive. Carrying the flash drive in
a portable safe does not guarantee the safety of the information in the
event that the safe is stolen or lost. No matter what measures you take,
the chance of losing the flash drive still exists. It is possible that a
courier might lose the flash drive or that it might be stolen.
352
、
An organization has outsourced its help desk activities. An IS
auditor's GREATEST concern when reviewing the contract and associated
service level agreement (SLA) between the organization and vendor should
be the provisions for:
A
、
documentation of staff background checks.
B
、
independent audit reports or full audit access.
C
、
reporting the year-to-year incremental cost reductions.
D
、
reporting staff turnover, development or training.
ANSWER:B
NOTE:When the functions of an IS department are outsourced, an IS auditor
should ensure that a provision is made for independent audit reports that
cover all essential areas, or that the outsourcer has full audit access.
Although it is necessary to document the fact that background checks are
performed, this is not as important as provisions for audits. Financial
measures such as year-to-year incremental cost reductions are desirable to
have in a service level agreement (SLA); however, cost reductions are not
as important as the availability of independent audit reports or full
audit access. An SLA might include human relationship measures such as
resource planning, staff turnover, development or training, but this is
not as important as the requirements for independent reports or full audit
access by the outsourcing organization.
353
、
To develop a successful business continuity plan, end user
involvement is critical during which of the following phases?
A
、
Business recovery strategy
B
、
Detailed plan development
C
、
Business impact analysis (BIA)
D
、
Testing and maintenance
ANSWER:C
NOTE:End user involvement is critical in the BIA phase. During this phase
the current operations of the business needs to be understood and the
impact on the business of various disasters must be evaluated. End users
are the appropriate persons to provide relevant information for these
tasks. Inadequate end user involvement in this stage could result in an
inadequate understanding of business priorities and the plan not meeting
the requirements of the organization.
354
、
Which of the following is the MOST reliable sender authentication
method?
A
、
Digital signatures
B
、
Asymmetric cryptography
C
、
Digital certificates
D
、
Message authentication code
ANSWER:C
NOTE:Digital certificates are issued by a trusted third party. The message
sender attaches the certificate and the recipient can verify authenticity
with the certificate repository. Asymmetric cryptography, such as public
key infrastructure (PKI), appears to authenticate the sender but is
vulnerable to a man-in-the-middle attack. Digital signatures are used for
both authentication and confidentiality, but the identity of the sender
would still be confirmed by the digital certificate. Message
authentication code is used for message integrity verification.
355
、
Which of the following would be considered an essential feature of a
network management system?
A
、
A graphical interface to map the network topology
B
、
Capacity to interact with the Internet to solve the problems
C
、
Connectivity to a help desk for advice on difficult issues
D
、
An export facility for piping data to spreadsheets
ANSWER:A
NOTE:To trace the topology of the network, a graphical interface would be
essential. It is not necessary that each network be on the Internet and
connected to a help desk, while the ability to export to a spreadsheet is
not an essential element.
356
、
Which of the following is a passive attack to a network?
A
、
Message modification
B
、
Masquerading
C
、
Denial of service
D
、
Traffic analysis
ANSWER:D
NOTE:The intruder determines the nature of the flow of traffic (traffic
analysis) between defined hosts and is able to guess the type of
communication taking place. Message modification involves the capturing of
a message and making unauthorized changes or deletions, changing the
sequence or delaying transmission of captured messages. Masquerading is an
active attack in which the intruder presents an identity other than the
original identity. Denial of service occurs when a computer connected to
the Internet is flooded with data and/or requests that must be processed.
357
、
When planning an audit of a network setup, an IS auditor should give
highest priority to obtaining which of the following network
documentation?
A
、
Wiring and schematic diagram
B
、
Users' lists and responsibilities
C
、
Application lists and their details
D
、
Backup and recovery procedures
ANSWER:A
NOTE:The wiring and schematic diagram of the network is necessary to carry
out a network audit. A network audit may not be feasible if a network
wiring and schematic diagram is not available. All other documents are
important but not necessary.
358
、
In large corporate networks having supply partners across the globe,
network traffic may continue to rise. The infrastructure components in
such environments should be scalable. Which of the following firewall
architectures limits future scalability?
A
、
Appliances
B
、
Operating system-based
C
、
Host-based
D
、
Demilitarized
ANSWER:A
NOTE:The software for appliances is embedded into chips. Firmware-based
firewall products cannot be moved to higher capacity servers. Firewall
software that sits on an operating system can always be scalable due to
its ability to enhance the power of servers. Host-based firewalls operate
on top of the server operating system and are scalable. A demilitarized
zone is a model of firewall implementation and is not a firewall
architecture.
359
、
An organization is using an enterprise resource management (ERP)
application. Which of the following would be an effective access control?
A
、
User-level permissions
B
、
Role-based
C
、
Fine-grained
D
、
Discretionary
ANSWER:B
NOTE:Role-based access controls the system access by defining roles for a
group of users. Users are assigned to the various roles and the access is
granted based on the user's role. User-level permissions for an ERP system
would create a larger administrative overhead. Fine-grained access control
is very difficult to implement and maintain in the context of a large
enterprise. Discretionary access control may be configured or modified by
the users or data owners, and therefore may create inconsistencies in the
access control management.
360
、
During a human resources (HR) audit, an IS auditor is informed that
there is a verbal agreement between the IT and HR departments as to the
level of IT services expected. In this situation, what should the IS
auditor do FIRST?
A
、
Postpone the audit until the agreement is documented
B
、
Report the existence of the undocumented agreement to senior
management
C
、
Confirm the content of the agreement with both departments
D
、
Draft a service level agreement (SLA) for the two departments
ANSWER:C
NOTE:An IS auditor should first confirm and understand the current
practice before making any recommendations. The agreement can be
documented after it has been established that there is an agreement in
place. The fact that there is not a written agreement does not justify
postponing the audit, and reporting to senior management is not necessary
at this stage of the audit. Drafting a service level agreement (SLA) is
not the IS auditor's responsibility.
361
、
The optimum business continuity strategy for an entity is determined
by the:
A
、
lowest downtime cost and highest recovery cost.
B
、
lowest sum of downtime cost and recovery cost.
C
、
lowest recovery cost and highest downtime cost.
D
、
average of the combined downtime and recovery cost.
ANSWER:B
NOTE:Both costs have to be minimized, and the strategy for which the costs
are lowest is the optimum strategy. The strategy with the highest recovery
cost cannot be the optimum strategy. The strategy with the highest
downtime cost cannot be the optimum strategy. The average of the combined
downtime and recovery cost will be higher than the lowest combined cost of
downtime and recovery.
362
、
A large chain of shops with electronic funds transfer (EFT) at
point-of-sale devices has a central communications processor for
connecting to the banking network. Which of the following is the BEST
disaster recovery plan for the communications processor?
A
、
Offsite storage of daily backups
B
、
Alternative standby processor onsite
C
、
Installation of duplex communication links
D
、
Alternative standby processor at another network node
ANSWER:D
NOTE:Having an alternative standby processor at another network node would
be the best solution. The unavailability of the central communications
processor would disrupt all access to the banking network, resulting in
the disruption of operations for all of the shops. This could be caused by
failure of equipment, power or communications. Offsite storage of backups
would not help, since EFT tends to be an online process and offsite
storage will not replace the dysfunctional processor. The provision of an
alternate processor onsite would be fine if it were an equipment problem,
but would not help in the case of a power outage. Installation of duplex
communication links would be most appropriate if it were only the
communication link that failed.
363
、
An IS auditor reviewing an accounts payable system discovers that
audit logs are not being reviewed. When this issue is raised with
management the response is that additional controls are not necessary
because effective system access controls are in place. The BEST response
the auditor can make is to:
A
、
review the integrity of system access controls.
B
、
accept management's statement that effective access controls are in
place.
C
、
stress the importance of having a system control framework in place.
D
、
review the background checks of the accounts payable staff.
ANSWER:C
NOTE:Experience has demonstrated that reliance purely on preventative
controls is dangerous. Preventative controls may not prove to be as strong
as anticipated or their effectiveness can deteriorate over time.
Evaluating the cost of controls versus the quantum of risk is a valid
management concern. However, in a high-risk system a comprehensive control
framework is needed. Intelligent design should permit additional detective
and corrective controls to be established that don't have high ongoing
costs, e.g., automated interrogation of logs to highlight suspicious
individual transactions or data patterns. Effective access controls are,
in themselves, a positive but, for reasons outlined above, may not
sufficiently compensate for other control weaknesses. In this situation
the IS auditor needs to be proactive. The IS auditor has a fundamental
obligation to point out control weaknesses that give rise to unacceptable
risks to the organization and work with management to have these
corrected. Reviewing background checks on accounts payable staff does not
provide evidence that fraud will not occur.
364
、
Which of the following procedures would BEST determine whether
adequate recovery/restart procedures exist?
A
、
Reviewing program code
B
、
Reviewing operations documentation
C
、
Turning off the UPS, then the power
D
、
Reviewing program documentation
ANSWER:B
NOTE:Operations documentation should contain recovery/restart procedures,
so operations can return to normal processing in a timely manner. Turning
off the uninterruptible power supply (UPS) and then turning off the power
might create a situation for recovery and restart, but the negative effect
on operations would prove this method to be undesirable. The review of
program code and documentation generally does not provide evidence
regarding recovery/restart procedures.
365
、
An IS auditor noted that an organization had adequate business
continuity plans (BCPs) for each individual process, but no comprehensive
BCP. Which would be the BEST course of action for the IS auditor?
A
、
Recommend that an additional comprehensive BCP be developed.
B
、
Determine whether the BCPs are consistent.
C
、
Accept the BCPs as written.
D
、
Recommend the creation of a single BCP.
ANSWER:B
NOTE:Depending on the complexity of the organization, there could be more
than one plan to address various aspects of business continuity and
disaster recovery. These do not necessarily have to be integrated into one
single plan; however, each plan should be consistent with other plans to
have a viable business continuity planning strategy.
366
、
What method might an IS auditor utilize to test wireless security at
branch office locations?
A
、
War dialing
B
、
Social engineering
C
、
War driving
D
、
Password cracking
ANSWER:C
NOTE:War driving is a technique for locating and gaining access to
wireless networks by driving or walking with a wireless equipped computer
around a building. War dialing is a technique for gaining access to a
computer or a network through the dialing of defined blocks of telephone
numbers, with the hope of getting an answer from a modem. Social
engineering is a technique used to gather information that can assist an
attacker in gaining logical or physical access to data or resources.
Social engineering exploits human weaknesses. Password crackers are tools
used to guess users' passwords by trying combinations and dictionary
words.
367
、
Which of the following is the MOST secure and economical method for
connecting a private network over the Internet in a small- to medium-sized
organization?
A
、
Virtual private network
B
、
Dedicated line
C
、
Leased line
D
、
Integrated services digital network
ANSWER:A
NOTE:The most secure method is a virtual private network (VPN), using
encryption, authentication and tunneling to allow data to travel securely
from a private network to the Internet. Choices B, C and D are network
connectivity options that are normally too expensive to be practical for
small- to medium-sized organizations.
368
、
Which of the following BEST restricts users to those functions
needed to perform their duties?
A
、
Application level access control
B
、
Data encryption
C
、
Disabling floppy disk drives
D
、
Network monitoring device
ANSWER:A
NOTE:The use of application-level access control programs is a management
control that restricts access by limiting users to only those functions
needed to perform their duties. Data encryption and disabling floppy disk
drives can restrict users to specific functions, but are not the best
choices. A network monitoring device is a detective control, not a
preventive control.
369
、
An IS auditor has been assigned to review IT structures and
activities recently outsourced to various providers. Which of the
following should the IS auditor determine FIRST?
A
、
That an audit clause is present in all contracts
B
、
That the SLA of each contract is substantiated by appropriate KPIs
C
、
That the contractual warranties of the providers support the
business needs of the organization
D
、
That at contract termination, support is guaranteed by each
outsourcer for new outsourcers
ANSWER:C
NOTE:The complexity of IT structures matched by the complexity and
interplay of responsibilities and warranties may affect or void the
effectiveness of those warranties and the reasonable certainty that the
business needs will be met. All other choices are important, but not as
potentially dangerous as the interplay of the diverse and critical areas
of the contractual responsibilities of the outsourcers.
370
、
Which of the following procedures would MOST effectively detect the
loading of illegal software packages onto a network?
A
、
The use of diskless workstations
B
、
Periodic checking of hard drives
C
、
The use of current antivirus software
D
、
Policies that result in instant dismissal if violated
ANSWER:B
NOTE:The periodic checking of hard drives would be the most effective
method of identifying illegal software packages loaded to the network.
Antivirus software will not necessarily identify illegal software, unless
the software contains a virus. Diskless workstations act as a preventive
control and are not effective, since users could still download software
from other than diskless workstations. Policies lay out the rules about
loading the software, but will not detect the actual occurrence.
371
、
What control detects transmission errors by appending calculated
bits onto the end of each segment of data?
A
、
Reasonableness check
B
、
Parity check
C
、
Redundancy check
D
、
Check digits
ANSWER:C
NOTE:A redundancy check detects transmission errors by appending
calculated bits onto the end of each segment of data. A reasonableness
check compares data to predefined reasonability limits or occurrence rates
established for the data. A parity check is a hardware control that
detects data errors when data are read from one computer to another, from
memory or during transmission. Check digits detect transposition and
transcription errors.
372
、
Which of the following would an IS auditor consider to be the MOST
important when evaluating an organization's IS strategy? That it:
A
、
has been approved by line management.
B
、
does not vary from the IS department's preliminary budget.
C
、
complies with procurement procedures.
D
、
supports the business objectives of the organization.
ANSWER:D
NOTE:Strategic planning sets corporate or department objectives into
motion. Both long-term and short-term strategic plans should be consistent
with the organization's broader plans and business objectives for
attaining these goals. Choice A is incorrect since line management
prepared the plans.
373
、
During an audit, an IS auditor notices that the IT department of a
medium-sized organization has no separate risk management function, and
the organization's operational risk documentation only contains a few
broadly described IT risks. What is the MOST appropriate recommendation in
this situation?
A
、
Create an IT risk management department and establish an IT risk
framework with the aid of external risk management experts.
B
、
Use common industry standard aids to divide the existing risk
documentation into several individual risks which will be easier to
handle.
C
、
No recommendation is necessary since the current approach is
appropriate for a medium-sized organization.
D
、
Establish regular IT risk management meetings to identify and assess
risks, and create a mitigation plan as input to the organization's risk
management.
ANSWER:D
NOTE:Establishing regular meetings is the best way to identify and assess
risks in a medium-sized organization, to address responsibilities to the
respective management and to keep the risk list and mitigation plans up to
date. A medium-sized organization would normally not have a separate IT
risk management department. Moreover, the risks are usually manageable
enough so that external help would not be needed. While common risks may
be covered by common industry standards, they cannot address the specific
situation of an organization. Individual risks will not be discovered
without a detailed assessment from within the organization. Splitting the